Best Practices from Oracle Development's A‑Team

Service Gateway for OAC Remote Data Gateway in a Private Subnet


Note: Private Access Channel is now available in Oracle Analytics and is recommended by Oracle for new connections to private data sources. For more information on the feature and the data sources it supports refer to:
    Connect to Private Data Sources Through a Private Access Channel
    Supported Data Sources
    A-Team Chronicles Private Access Channel Series

Last validated December 14, 2020 with OAC 5.8


The latest releases of Oracle Analytics Cloud (OAC) now include the new Remote Data Gateway (RDG) for accessing databases that are not otherwise accessible by OAC. 

One significant change is RDG can now be installed in private subnets with private IP addresses where Remote Data Connector required public subnets with public IP addresses.

This post is targeted to customers who are deploying RDG in the Oracle Cloud on Oracle Cloud Infrastructure (OCI) with private IP addresses. It is also a supplement to the posts Deploying Remote Data Gateway in Oracle Analytics Cloud for Data Visualization and Deploying Remote Data Gateway in Oracle Analytics Cloud for Metadata Repositories.

It is a step-by-step guide to creating the network components necessary for RDG agents in private subnets to establish connections to OAC.

The official documentation is https://docs.cloud.oracle.com/iaas/Content/Network/Concepts/overview.htm


December 14, 2020 with OAC 5.8

August 31, 2019


Before You Begin

Creating a Service Gateway

Creating a Route Table that uses Service Gateway

 Before You Begin


For this post, deploying RDG requires the following:

Administration privileges and credentials in an Oracle Cloud Infrastructure (OCI) account to modify a Virtual Cloud Network (VCN)

A Regional Private Subnet within the VCN

 Creating a Service Gateway

About Service Gateway

A service gateway lets your virtual cloud network (VCN) privately access specific Oracle services e.g. Oracle Analytics Cloud (OAC) without exposing the data to the public internet. No internet gateway or NAT is required to reach those specific services. The resources in the VCN can be in a private subnet and use only private IP addresses. The traffic from the VCN to the Oracle service travels over the Oracle network fabric and never traverses the internet.

The service gateway is regional and enables access only to supported Oracle services in the same region as the VCN.

For details refer to https://docs.cloud.oracle.com/iaas/Content/Network/Tasks/servicegateway.htm

The diagram below shows a Service Gateway accessing Object Storage. OAC is another service in the Oracle Services Network.

This image shows the basic layout of a VCN with a service gateway

Note: The NAT and Internet gateways shown above are not required for RDG.

For example, All PHX Services in Oracle Services Network is a service CIDR label that represents all the CIDRs for the supported services in the Oracle Services Network in the US Phoenix region.

Creating the Service Gateway

The following is from the Oracle Networking documentation listed above.

  1. In the Console, confirm you're viewing the compartment that contains the VCN that you want to add the service gateway to. For information about compartments and access control, see Access Control.

  2. Open the navigation menu. Under Core Infrastructure, go to Networking and click Virtual Cloud Networks.

  3. Click the VCN you're interested in.

  4. On the left side of the page, click Service Gateways.

  5. Click Create Service Gateway.

  6. Enter the following values: 

    • Name: A descriptive name for the service gateway. It doesn't have to be unique. Avoid entering confidential information.

    • Create in compartment: The compartment where you want to create the service gateway, if different from the compartment you're currently working in. 

    • Services: Optionally select the service CIDR label e.g. All PHX Services in Oracle Services Network you're interested in. If you don't select one now, you can later update the service gateway and add a service CIDR label then. Without at least one service CIDR label enabled for the gateway, no traffic flows through it.

    • Tags: Optionally, you can apply tags. If you have permissions to create a resource, you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure if you should apply tags, skip this option (you can apply tags later) or ask your administrator.

  7. Click Create Service Gateway.

    The service gateway is then created and displayed on the Service Gateways  page in the compartment you chose. The gateway allows traffic through it by default. At any time, you can block or allow the traffic through it.

The new Service Gateway appears with an available status.

 Updating the Private Subnet Route Table

When you configure a service gateway for a particular service CIDR label e.g. All PHX Services in Oracle Services Network, you must also create a route rule that specifies that label as the destination and the target as the new service gateway e.g. Service-Gateway-PHX. You do this for each subnet that needs to access the gateway.

  1. Determine which subnets in your VCN, created for RDG agents, need access to the service gateway. 

  2. For each of those subnets, update the subnet's route table to include a new rule: 

    1. Open the navigation menu. Under Core Infrastructure, go to Networking and click Virtual Cloud Networks.

    2. Click the VCN you're interested in.

    3. Under Resources, click Route Tables.

    4. Click the route table you're interested in.

    5. Click Edit Route Rules.

    6. Click Add Route Rule and enter the following values:

      • Target Type: Service Gateway.

      • Destination Service: The service CIDR label e.g. All PHX Services in Oracle Services Network that is enabled for the gateway.

      • Compartment: The compartment where the service gateway is located.

      • Target: The service gateway.

    7. Click Save.

Now, any subnet traffic with a destination that matches the rule is routed to the service gateway. For more information about setting up route rules, see Route Tables.

The routing rule appears as:

Now, any subnet traffic with a destination that matches the rules e.g. OAC is routed to the service gateway. For more information about setting up route rules, see Route Tables.

You can now configure Remote Data Gateway agents in a private subnet.


This post described the steps for creating the network components necessary for RDG agents in private subnets to establish connections to OAC.

For other posts relating to analytics and data integration visit http://www.ateam-oracle.com/dayne-carley


Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha